CyberInsecure.com

Archive for the ‘Hacked’ Category

Security researchers warn that a significant number of WordPress websites have been compromised recently as part of what looks to be a money-generating affiliate scheme. The header.php template files are being injected with obfuscated JavaScript code.

“Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress,” Fraser Howard, principal virus researcher at Sophos, writes on the company’s blog.

The obfuscated script is inserted right after the tag and its purpose is to load additional content via an IFrame and to pass visitors through a series of silent redirects. One of these 302 redirects pass the affiliate account of the attacker to a remote script, probably for remuneration purposes.

According to Mr. Howard’s analysis, a cookie for a domain name rich-traffic.com is set in the visitors’ browsers, this site being a Russian affiliate network allowing users to sell or to buy IFrame traffic. “We sell only high quality iframe traffic for your various needs!” is written on the main page. Apparently, this offer refers to huge amounts of unique visitors spread across a wide variety of countries.

The issue of header.php files being modified without authorization has also been discussed in the support forums over at wordpress.org, with users suggesting that compromised FTP accounts might be the cause. This is consistent with the Sophos researcher’s conclusion, who writes that, “In this particular attack however, an out of date Wordpress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).”

It is worth noting that TechCrunch, one of the most popular technology blogs on the Internet, has recently faced several attacks, which resulted in its home page being altered. At least in one particular attack, the header.php file was modified to include a rogue message.

Credit: Softpedia.com News

Over thirty websites of various Representatives and House Committees fell victim to mass defacement yesterday. The incident occurred shortly after President Obama gave his State of the Union address.

The attack seems to be politically motivated as it contained an offensive anti-Obama message. All affected websites are from within the house.gov domain and most of them served House Representatives. However, a few, such as gop.cha.house.gov, republicans.financialservices.house.gov, republicans.oversight.house.gov or resourcescommittee.house.gov, correspond to House committees.

According to Web defacement archive Zone-H, the Red Eye Crew is a prominent hacking group responsible for more than 45,000 defacements in 2009 alone. Around 2,000 of the affected websites are listed as special, meaning they belong to governments, military organizations or important corporations.

Determining a specific point of entry for these attacks without any insider knowledge is hard. However, security researchers from Praetorian Security Group determined that all compromised websites use the Joomla content management system. “But not all of the Joomla CMS web sites [on the same server] are affected. This might indicate that it is a Joomla component that is to blame, however that is just speculation,” they write.

It is worth noting that a significant number of websites within the house.gov domain were defaced last August by a different group. At the time, there was information to suggest that the compromise was the result of default passwords that were left unchanged.

“Unfortunately we won’t know that until someone who manages house.gov provides some details. Server access seems unlikely, because while the sites we checked are hosted on dcserver1.house.gov, not every site hosted on that server is defaced (example congressman Joe Sestak’s web site was fine). The sites are not redirecting anywhere,” the Praetorian Security Group experts conclude.

Credit: Softpedia.com News

Popular technology site TechCrunch was hit by hackers late on Monday, leaving the site temporarily unavailable.

A notice on TechCrunch.com’s front page on Tuesday morning explains that “TechCrunch.com was compromised by a security exploit”. Access to the site’s story archive has been suspended leaving a two para notice on the hack as the only content visible on the site.

Hackers defaced the front page of the site with a message (recorded by Mikko Hypponen of F-Secure) apparently abusing site admins and including a link to a pornographic content and warez linking website.

The problems began for TechCrunch at around 10:30 pm PST on Monday when unknown hackers modified its home page to only display the word “hi.” The page was later changed to read “We’ll be back shortly,” suggesting that webmasters regained control of the website.

After a while, the site was hacked again and a link called “rapidshare downloads” appeared on the home page. The link actually pointed to DupeDB, a known warez website and was subsequently replaced by a “We’ll be back soon” message.

Hackers took over TechCrunch for a third time and left one offensive message accompanied by a link to the illegal content distribution site mentioned before. A final message from staff after this attack was also repelled, saying “Earlier tonight techcrunch.com was compromised by a security exploit. We’re working to identify the exploit and will bring the site back online shortly.”

Specific technical details regarding the incident are lacking, but a DNS hijacking attack similar to those experienced by Twitter and Baidu is out of the question. According to some sources cited by Praetorian Prefect, TechCrunch was using WordPress 2.8.4 at the time of the incident and 2.9.1 after. This apparent platform upgrade suggests that a WordPress vulnerability might have been exploited.

This defacement was removed by site admins who are in the process of identifying the exploit involved in the hack, securing systems, and bringing TechCrunch back online.

The motives or perpetrators of the attack remain unclear but the timing - a day before Apple’s much anticipated iTab launch in San Francisco - could hardly be worse.

TechCrunch returned to business by Tuesday lunchtime. The site has published a story on the attack, which is still under investigation. Hackers redirected traffic as well as leaving a defacement, TechCrunch explains.

Update (Jan. 27): TechCrunch has been hit by potty-mouth hackers for the second time in 24 hours. The second hack features a foul-mouth rant aimed against site founder Michael Arrington. It also includes a link to the same online smut and warez-peddling Torrents site “promoted” via the previous attack.

Credit: The Register, Softpedia.com News

The first hacker to successfully jailbreak the iPhone says he has pulled off yet another modding marvel, this time penetrating the previously impervious PlayStation 3 gaming console.

The hack by 20-year-old George Hotz, aka geohot, is significant because the PS3 was the only game console that hadn’t been hacked, despite being on the market for more than three years. The feat greatly expands the functionality of the box by allowing it to run unrestricted versions of Linux and a wide range of games that are currently forbidden. The hardware and software designer said it took him five weeks to develop the hack using a combination of modifications to the console’s hardware and software.

“Basically, I used hardware to open a small hole and then used software to make the hole the size of the system to get full read/write access,” he said in an interview. “Right now, although the system is broken, I have great power. I can make they system do whatever I want.”

The first three weeks were spent trying attacks to directly access memory of the console. He eventually settled on his current approach after realizing software approaches alone were insufficient.

A dropout of the Rochester Institute of Technology, geohot said he is declining to provide details to prevent Sony from introducing changes that would stymie the modifications. But a blog post announcing the accomplishment makes clear the hack gives users unprecedented control over their systems.

“I have read/write access to the entire system memory, and HV level access to the processor,” geohot wrote. “In other words, I have hacked the PS3.”

The hack will allow PS3 users for the first time to run unrestricted versions of Linux that have full access to the system’s central processing unit and graphical processing unit. That will greatly expand the kinds of things users can do with the console. For starters, they could use the mod to run emulators that will play PS2 games on the machine, something Sony strictly forbids. It could also allow programs like the VLC media player to run much more robustly. The hack also opens the door to pirated games on the console, although geohot said that’s an activity he’s not interested in pursuing.

Geohot said he doesn’t plan to release the software used to unlock the box until he can make it more reliable. It currently takes about 15 minutes to run and frequently fails to work properly. “If I posted what I have now, people would get fed up with it,” he said.

He praised the PS3 as a “pretty secure system,” that was harder to hack than many hardware systems he has penetrated.

While hacks of the Xbox and the iPhone have led to thriving developer communities that release custom applications for the modded devices, geohot said the challenge of overcoming the security overshaddows those more practical outcomes.

“Personally, it’s a win for me just to do it,” he said. “It’s just cool to have it cracked.”

Credit: The Register

Board.ie, the most popular forum in Ireland with millions of unique visitors each month, suffered a serious security breach yesterday. As a precaution, the website was taken offline and a password reset was triggered for all registered users.

“Today, Thursday 21 Jan 2010 at 11:20 GMT the Boards.ie database was attacked by a source external to Ireland. […] In this attack, part of the database which includes our members’ usernames, email addresses and obfuscated passwords was accessed. While our investigations indicate that individual user accounts are not in danger we have taken the step of changing all user passwords,” an official announcement reads.

The website administration has been remarkably opened about this incident and seems to treat it very responsibly. It immediately contacted the Gardai (Irish National Police) and the Data Protection Commissioner. No details regarding the specific attack method or origin have been released, as the investigation is in progress.

An independent security consultancy company has also been asked to advise regarding incident response procedure. “Like all large sites we are regularly the target for disruption and take continual actions to proactively protect your data. This particular attack was completely unprecedented despite our rigorous security measures and while we have no idea if this data will be used for any malicious reasons, we felt it vital to tell you this immediately,” the admins write.

The board.ie community website is built using the widely popular vBulletin forum software. Because of the security features implemented on the platform, user passwords were not stored in plain text inside the database. Even so, a decision to have them reset was taken as a precaution.

When the site will be restored, users will have to request new passwords manually. In order to prove their identity, they are required to have access to the e-mail address associated with the account. Admins are still working on an alternative method for cases where users can no longer access the e-mail that was used to register their account with.

The origins of the boards.ie forum date back to 1998, but the site has existed under the current name since 2000. It has over 220,000 registered members who communicate with each other on a variety of topics that touch on all aspects of life.

Credit: Softpedia.com News

Network Solutions announced that several hundred websites hosted on its infrastructure fell victim in a mass defacement attack during the past several days. Preliminary findings suggest that a remote file inclusion technique was used to compromise several of the company’s Unix servers.

Network Solutions is one of the top five Internet domain name registrars, managing around 6,5 million domains as of January 2009. Apart from its successful domain registration business, the company also offers other services such as Web hosting, ecommerce or online marketing solutions.

The problems began for Network Solutions last weekend when several customers reported their websites being defaced by hacktivists. Most of the attacked websites had anti-Israel messages posted on their home page and displayed violent images.

At first, the Internet firm thought a vulnerability in a Web application shared by these websites might be the culprit. “We are running a scan to see if we can proactively determine if any hosting accounts are impacted. Proponents of malware and hacking commonly look for websites with vulnerabilities. These include weak passwords, third party applications that aren’t up to date or sometimes weakness could emanate from lack of updated anti-virus software on PCs,” Shashi Bellamkonda, the company’s director for social/new media strategy, wrote on Sunday.

However, it appears that these attacks were made possible by the configuration of the hosting servers themselves, which opened a remote file inclusion (RFI) weakness. Such vulnerabilities stem from improper validation of values being passed to the $_GET of $_POST variables under certain PHP configurations.

“Hackers were able to add a file displaying illegitimate content on top of the customer website content. This was an issue on multiple servers and unknown intruders were able to get through by using a file inclusion technique. There was no danger to any personally identifiable or secure information,” Mr. Bellamkonda announced yesterday in an update on the company’s blog.

Network Solutions is working with affected customers to restore their websites and is closely monitoring the threat. It has yet to decide if the best course of action is to make permanent changes to the configuration of its servers, a decision that might affect the functionality of existent websites.

Credit: Softpedia.com News

In a recent attack on the web server of the BerliOS (Berlin Open Source) open source platform intruders replaced the portal’s home page. The unknown attackers left a message accusing the BerliOS operators of not investing enough time in proper system maintenance – and in protection against attacks.

“Open source mediator” BerliOS, which is part of Fraunhofer Institute (FOKUS), hosts a number of developer projects on its systems. According to the injected message on the, now restored, home page, the attackers were also able to access the svn.berlios.de, download.berlios.de and example.sheep.berlios.de servers.

While the intruders said they didn’t manipulate any site content, they pointed out possible manipulations by others. According to the unknown hackers, BerliOS had already had secret visitors in 2005. The attackers said this was indicated by the presence of a developer.php.de.hacker file stored on the web server.

When asked by The H’s associates at heise Security, BerliOS confirmed the manipulation. The operators say that so far, apart from the traces of the intrusion, they have not found any sign of manipulated files. In a brief reply Jörg Schilling, BerliOS employee and developer of the cdrecord open source software said “Therefore, I currently don’t see a reason to issue a warning”. Schilling didn’t supply any details about the vulnerability the intruders exploited.

Credit: H-Online.com

Google plans to curb its controversial practice of censoring search results in China after uncovering a “highly sophisticated and targeted attack” designed to steal information about human rights activists from its Gmail service and at least 20 other large companies.

The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists. Although only two email accounts appear to have been breached, “accounts of dozens of US-, China- and Europe-based Gmail users who are advocates of human rights in China” have been routinely breached, most likely as a result of phishing or malware attacks, the company said Tuesday.

The discovery came as Google uncovered similar attacks on at least 20 other companies in the financial, technology, media, and chemical industries. In light of the revelations, Google said it is considering shuttering its Chinese operations altogether.

“These attacks and the surveillance they have uncovered - combined with the attempts over the past year to further limit free speech on the web - have led us to conclude that we should review the feasibility of our business operations in China,” Google’s chief legal officer David Drummond wrote. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

Drummond said Google has already used the investigation findings to introduce security improvements. The company is also in the process of sharing its findings with law enforcement authorities and the other targeted sites.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” Drummond wrote.

He didn’t provide details about the two breached Gmail accounts except to say that “activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” The names of the 20 large companies were also omitted.

Google, whose corporate credo is “Don’t be evil,” entered the Chinese market in 2006 with the promise to censor search results that were objectionable to the country’s government.

Credit: The Register

Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.

The intrusion at Suffolk County National Bank happened over a six-day period that started on November 18, according to a release issued Monday. It was discovered on December 24 during an internal security review. In all, credentials 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total

“Although the intrusion was limited in duration and scope, SCNB immediately isolated and rebuilt the compromised server and took other measures to ensure the security of data on the server,” the bank, located about an hour east of New York City, stated. “To date, SCNB has found no evidence of any unauthorized access to online banking accounts, nor received any reports of unusual activity or reports of financial loss to its customers.”

The breach represents a variation on more traditional types of attacks on online banking. Cyber crooks typically target customers by surreptitiously planting malware on their computers that log their user name and password. The FBI estimates that small and medium-sized businesses alone have reached $100m.

By contrast, accessing a server that storing online credentials for tens of thousands of customers isn’t the kind of intrusion one hears about every day. Best security practices are clear that passwords should never be stored on servers unless they are encrypted.

The bank began notifying affected customers on Monday evening using first-class mail. The two-week delay “was necessary for making a lot of arrangements so we could come out with an absolutely conclusive statement about what happened,” said Douglas Ian Shaw, the bank’s corporate secretary. Retail customers whose details were lifted will be given two years worth of credit monitoring services at SCNB’s expense.

In the fourth quarter, the bank budgeted $351,000, or about 4 cents per share, to account for expenses related to the intrusion. Additional expenses may be incurred.

Credit: The Register

The same group that used a DNS attack to hijack Twitter last month has defaced the home page of Chinese search engine Baidu.

Baidu, formed in 2000, is China’s number one search engine, dominating the home market for online searches - partly because it had a six year head start over Google. As a result of its huge popularity, it’s no wonder that from time to time hackers might try and take advantage of the site, just as top websites can be in the frame for attack in the West.

Surfers visiting Baidu site on Monday night were confronted by the message “This site has been hacked by Iranian Cyber Army”, together with an image of the Iranian flag. Early speculation suggests the attack involved changing Baidu’s DNS records rather than a direct attack on the site itself, but this remains unconfirmed.

The attack might have been used to point the millions of Chinese users who use Baidu every day towards a site that took advantage of browser exploits to infect computer users with malware. So it’s perhaps fortunate that the Baidu hack involved only political graffiti.

By Tuesday morning, Baidu’s site had been cleaned up.

Credit: The Register, Sophos Blogs